The Data Security Risks with Offshore Outsourcing
Monday, October 22, 2007
We've all read news articles about how companies, in order to remain competitive, have moved jobs and work to other companies (outsourcing), and/or have moved jobs and work to companies in other countries (offshore outsourcing). Philip Alexander has written an excellent article in SearchCIO.com about the risks with offshore outsourcing... which can expose the sensitive personal data of customers, employees, and former employees.
Mr. Alexander gets right to the point:
"... there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts... it's important to make sure that in addition to going after cheap labor, you're not buying yourself a slew of security exposures as well. The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security- and regulatory-related issues involved with offshore outsourcing."
If you live in a state where consumer notification is required when the company has a data breach, it is important to remember that:
"With the rash of highly publicized data breaches, 36 states now have their own disclosure laws mandating that companies inform customers in the event of either an actual or suspected security breach. This applies to data breaches that occur overseas if you send sensitive customer data offshore."
I applaud Mr. Alexander for challenging CIOs (Chief Information Officers) CSOs (Chief Security Officers) to consider the risk and not just the financial benefits. Mr. Alexander lists two major issues regarding offshore data security and risk:
The first is granting offshore engineers access to computer systems located within your company's network. Are you monitoring the activities of the overseas engineers? If the work that's being sent offshore is project-based, are you ensuring that access is removed when the project is completed? Do you have security professionals monitoring the activities of the offshore engineers?
The second issue and most importantly:
"... review what type of work is safe to send offshore. For instance, outsourcing production support overseas entails a high degree of risk... You should consider projects that don't entail sending sensitive customer information offshore, or granting remote access to your internal network. Software development doesn't require providing sensitive customer data offshore. The development work can be performed offshore, then the code can be securely transmitted to your company."
The only issue I have with Mr. Alexander's article is his focus on CIOs and CSOs. I believe that general management, human resources, and customer service senior managers should be challenged also, to consider the risks of offshore-outsourcing decision. All departments handle sensitive data and all departments need training in effective data security practices. All of this becomes even more critical as companies headquartered in other countries acquire or merge with US-based companies.
For some background, read this GAO report about Medicare and Medicaid.or this article about data breaches at outsourcing firms in India. I'd love to see an consultancy or accounting firm independently audit the major brokerages against the criteria Mr. Alexander stated in his article. What do you think?
Nice informative post....thanks for sharing your nice work.
Posted by: Offshore Web Development | Monday, May 11, 2009 at 07:41 AM
Data security risk is depend on nature of Outsourcing Service e.g If you are engage in Software Development, with any Development Company there is no risk of steal your informative Data.
But If you are engage in call center, bank or any customer support (Call center / Customer Support) there are chance of data steal. So It will be very best to know before about their portfolio and don't hesitate to contact with their existing customer (which are mostly publish on testimonial page) to get their feedback.
Posted by: khurram | Thursday, December 16, 2010 at 12:39 PM
I am very upset with our government. How can they allow credit reporting agencies, Equifax, Experian, and Transunion, to outsource all of the information on our credit reports to another country? That alone should be a threat to our country's security. I don't want someone in another country having access to my personal and financial information.
Many, many people in the US do not know that their credit information is being outsourced. Is there any government agency that cares about this?
Posted by: CD | Wednesday, September 07, 2011 at 12:08 PM
Thanks to CD for the comment. I assume that you have read the 4-part series in this blog:
Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)
That series of reports mentioned several countries where credit reporting agencies offshore work to call centers. It seems that the U.S. Congress is happy to let this continue. And, consumers are forced to use all three of the major credit reporting agencies, regardless of the number of errors they may introduce into your credit reports.
I encourage you to contact you elected officials with your complaints:
Posted by: George | Thursday, September 08, 2011 at 01:19 AM
Philip Alexander has written an excellent article in SearchCIO.com about the risks with offshore outsourcing... which can expose the sensitive personal data of customers, employees, and former employees.
Posted by: Security Jobs | Wednesday, April 18, 2012 at 04:58 AM